aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPiotr Nowicki <56911018+piotr-now@users.noreply.github.com>2020-06-01 08:09:26 +0200
committerGitHub <noreply@github.com>2020-06-01 08:09:26 +0200
commite071e42480e2e75f68a02e59457b1396393f1dbc (patch)
treec83358f5c83090158494331354bb69cf04165796
parentfc7c69df25f98961254cc36e2b297632b92f3d5e (diff)
parentf0ab6d62ac64e193d44a6e0276c75797add3f04b (diff)
downloadmbed-tls-e071e42480e2e75f68a02e59457b1396393f1dbc.tar.gz
Merge pull request #3336 from piotr-now/baremetal_flowmon
Increasing resistance to fault injection attacks related with memory operations.
-rw-r--r--library/platform_util.c12
-rw-r--r--tinycrypt/ecc.c22
2 files changed, 26 insertions, 8 deletions
diff --git a/library/platform_util.c b/library/platform_util.c
index 2c22b3c64..3869f30a5 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
@@ -111,6 +111,9 @@ void *mbedtls_platform_memcpy( void *dst, const void *src, size_t num )
/* Randomize initial data to prevent leakage while copying */
uint32_t data = mbedtls_platform_random_in_range( 256 );
+ /* Use memset with random value at first to increase security - memset is
+ not normally part of the memcpy function and here can be useed
+ with regular, unsecured implementation */
memset( (void *) dst, data, num );
memcpy( (void *) ( (unsigned char *) dst + start_offset ),
(void *) ( (unsigned char *) src + start_offset ),
@@ -124,23 +127,26 @@ int mbedtls_platform_memcmp( const void *buf1, const void *buf2, size_t num )
volatile const unsigned char *B = (volatile const unsigned char *) buf2;
volatile unsigned char diff = 0;
- size_t i = num;
-
+ /* Start from a random location and check the correct number of iterations */
+ size_t i, flow_counter = 0;
size_t start_offset = (size_t) mbedtls_platform_random_in_range( num );
for( i = start_offset; i < num; i++ )
{
unsigned char x = A[i], y = B[i];
+ flow_counter++;
diff |= x ^ y;
}
for( i = 0; i < start_offset; i++ )
{
unsigned char x = A[i], y = B[i];
+ flow_counter++;
diff |= x ^ y;
}
- return( diff );
+ /* Return 0 only when diff is 0 and flow_counter is equal to num */
+ return( (int) diff | (int) ( flow_counter ^ num ) );
}
uint32_t mbedtls_platform_random_in_range( size_t num )
diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c
index c6c722a95..ba3626719 100644
--- a/tinycrypt/ecc.c
+++ b/tinycrypt/ecc.c
@@ -286,20 +286,32 @@ uECC_word_t uECC_vli_equal(const uECC_word_t *left, const uECC_word_t *right)
{
uECC_word_t diff = 0;
+ uECC_word_t flow_monitor = 0;
uECC_word_t tmp1, tmp2;
volatile int i;
- for (i = NUM_ECC_WORDS - 1; i >= 0; --i) {
+ /* Start from a random location and check the correct number of iterations */
+ int start_offset = mbedtls_platform_random_in_range(NUM_ECC_WORDS);
+
+ for (i = start_offset; i < NUM_ECC_WORDS; ++i) {
+ tmp1 = left[i];
+ tmp2 = right[i];
+ flow_monitor++;
+ diff |= (tmp1 ^ tmp2);
+ }
+
+ for (i = 0; i < start_offset; ++i) {
tmp1 = left[i];
tmp2 = right[i];
+ flow_monitor++;
diff |= (tmp1 ^ tmp2);
}
- /* i should be -1 now */
+ /* Random delay to increase security */
mbedtls_platform_random_delay();
- diff |= i ^ -1;
- return diff;
+ /* Return 0 only when diff is 0 and flow_counter is equal to NUM_ECC_WORDS */
+ return (diff | (flow_monitor ^ NUM_ECC_WORDS));
}
uECC_word_t cond_set(uECC_word_t p_true, uECC_word_t p_false, unsigned int cond)
@@ -848,7 +860,7 @@ void vli_mmod_fast_secp256r1(unsigned int *result, unsigned int*product)
}
while (carry < 0);
} else {
- while (carry ||
+ while (carry ||
uECC_vli_cmp_unsafe(curve_p, result) != 1) {
carry -= uECC_vli_sub(result, result, curve_p);
}